People Picker
The SharePoint People Picker control can be used to find and select users and groups when assigning permissions to resources such as sites and lists and libraries. K2 uses the People Picker control in several areas such as permission management and task assignment. It is important to understand how the People Picker control resolves special users (aka, All Users) and claims users. For more information, see People Picker overview: http://technet.microsoft.com/en-us/library/gg602068.aspx
Resolving Names
The People Picker control has two modes for resolving names. The Check Names (Ctrl+K) option tries to match the provided text against all registered providers for the web site.
When the text provided can be resolved against more than one provider, the text is underlined in red and a list of available providers is presented in a popup when the text is selected.
This works well when all the claims providers have implemented search and name resolution. However, when claims providers, such as the default SharePoint provided SPTrustedClaimProvider, do not implement search and name resolution, all queries entered in the text box are automatically displayed as if they had been resolved, regardless of whether they are valid users or groups.
The following note is taken directly from the SharePoint product documentation. For more information, see Custom claims providers for People Picker (SharePoint Server 2010): http://technet.microsoft.com/en-us/library/gg602072.aspx
 |
When a Web application is configured to use SAML token-based authentication, the SPTrustedClaimProvider class does not provide search functionality to the People Picker control. Any text entered in the People Picker control will automatically be displayed as if it had been resolved, regardless of whether it is a valid user, group, or claim. If your SharePoint Server 2010 solution will use SAML token-based authentication, you should plan to create a custom claims provider to implement custom search and name resolution. |
It is recommended to utilize the Browse option when using the People Picker to ensure that the appropriate user or group is selected and assigned against the desired provider and claim.
Active Directory Users and Groups
Active Directory users are typically resolved by searching on the Windows user logon name or DOMAIN\Username format. Depending on the People Picker configuration, the user may appear in the Active Directory, the Organizations, or both search results. The key is to ensure that the user selected is the one for the User: Active Directory result.
Active Directory groups are typically resolved by searching on the Windows group name or DOMAIN\GroupName format. Depending on the People Picker configuration, the group may appear in the Active Directory, the Organization or both search results. The key is to ensure that the group selected is the one for the Security Group: Active Directory result.
Forms Authentication Users and Groups
Forms-based authenticated users are typically resolved by searching on the user logon name. Depending on the People Picker configuration, the user may appear in the Forms Auth, the Organizations, or both search results. The key is to ensure that the user selected is the one for the User: Forms Auth result.
Forms-based authentication groups are typically resolved by searching on the group name. Depending on the People Picker configuration, the group may appear in the Forms Auth, the Organizations, or both search results. The key is to ensure that the group selected is the one for the Role: Forms Auth result.
Trusted Provider Users and Groups (AD FS for Active Directory)
Trusted Provider based authentication provided by AD FS configured for the Active Directory attribute store users are typically resolved by searching on the DOMAIN\Username. Depending on the People Picker configuration, the user may appear in the Trusted Provider search results for each claim configured, in this example ADFS AD. The key is to ensure that the user selected is mapped to the search result for the identity claim, in this example Windows Account Name.
Trusted Provider based authentication provided by AD FS configured for the Active Directory attribute store groups are typically resolved by searching on the DOMAIN\GroupName. Depending on the People Picker configuration, the group may appear in the Trusted Provider search results for each claim configured, in this example ADFS AD. The key is to ensure that the group selected is mapped to the search result for the role claim, in this example Role.
|
The search text must match the text in claims provided by the trusted provider. For example, if the claim is in the format of DOMAIN\Username or DOMAIN\GroupName then the DOMAIN name must be used when executing the search. If the claim values do not contain the DOMAIN information then omit that when executing the search. |
For more information on configuring AD FS for Active Directory, see Concepts > Integration > SharePoint 2010 > Claims-based Authentication > Supported Configurations
Trusted Provider Users and Groups (AD FS for LDAP)
Trusted Provider based authentication provided by AD FS configured for the LDAP attribute store users are typically resolved by searching on the user logon name. Depending on the People Picker configuration, the user may appear in the Trusted Provider search results for each claim configured, in this example ADFS LDAP. The key is to ensure that the user selected is mapped to the search result for the identity claim, in this example Name.
Trusted Provider based authentication provided by AD FS configured for the LDAP attribute store groups are typically resolved by searching on the group name. Depending on the People Picker configuration, the group may appear in the Trusted Provider search results for each claim configured, in this example ADFS LDAP. The key is to ensure that the group selected is mapped to the search result for the role claim, in this example Role.
|
The search text must match the text in claims provided by the trusted provider. For example, if the claim is in the format of DOMAIN\Username or DOMAIN\GroupName then the DOMAIN name must be used when executing the search. If the claim values do not contain the DOMAIN information then omit that when executing the search. |
For more information on configuring AD FS for LDAP, see Concepts > Integration > SharePoint 2010 > Claims-based Authentication > Supported Configurations
All Users
The concept of “All Users” cannot be used in K2 for assigning tasks, interacting with tasks or assigning permissions. Built-in or configured groups for the appropriate K2 user manager, for example Domain Users for Active Directory, must be used instead.
The following “All Users” containers cannot be used with K2.
Active Directory, SharePoint 2007 and SharePoint 2010 classic-mode
- NT Authority\Authenticated Users
SharePoint 2010 claims-mode
• All Authenticated Users
• All Users ({WindowsProvider}), that is NT AUTHORITY\Authenticated Users
• All Users ({FormsProvider})
• All Users ({TrustedProvider})
Runtime Participants
Processes designed to utilize Runtime Participants make use of the People Picker control at runtime. The recommendations and limitations discussed in this topic apply when selecting additional participants. To remove existing participants, select the user or group from the list and click Remove as indicated below.
